Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Page Builder by SiteOrigin plugin for WordPress allows attackers to access server files
CVE-2026-2448
Summary
A security issue in the Page Builder by SiteOrigin plugin for WordPress can allow attackers with contributor or higher access to upload and execute malicious files on the server. This could allow them to access sensitive data or take control of your website. To stay safe, update the plugin to the latest version or remove it if possible.
Original title
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for...
Original description
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
nvd CVSS3.1
8.8
Vulnerability type
CWE-22
Path Traversal
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026